[tor-relays] Intrusion Prevention System Software - Snort or Suricata

oconor at email.cz oconor at email.cz
Wed Oct 5 08:02:07 UTC 2016


Let's take it from the end.



- nowadays we use IPS to filter over 130k webhosting accounts. It's up to 
the admin who set what exactly should be filtered. It's definitely not about
the used sw.




- I don't know how this BadExit evaluation thing works - if it values nodes 
automatically by accessing something over it, the IPS shouldn't be detected

- During my praxis, I've met only like 10% of customers (tor exit node) with
real data - unfortunately ISP is not the one who can judge that - we have to
trust our customer




- I say only one thing, it's necesarry to solve the legality of the traffic.
The mood around tor service, of all ISPs I know, is below zero. It would be 
great to do something about that and I think that IPS with rules open to 
community is a way to go.






"> On 5 Oct 2016, at 18:10, <oconor at email.cz> <oconor at email.cz> wrote:
> 
> We're back to IPS, which can drop the specific malicious traffic. I've 
been speaking with the lawyer few minutes ago. He told me that there is a 
pressure to put all the responsibility for the traffic to the ISPs. Well ...
what are the ISPs most probably going to do ... ? They can ban all tor exit 
nodes, or they will force the owners to clear the traffic.
> 
> When you're worried about being accused, why you don't use fake 
information during registration and payments with bitcoins? Then you can 
also filter the traffic by IPS ... and everybory will be happy.

There are a few things wrong with your suggested solution:
* it's really, really hard to stay anonymous on the Internet as an 
individual, and impossible for many corporations (it's hard to be 
transparent about how you spend money as a charity, and be anonymous at the 
same time),
* if all Tor Exit Nodes are anonymous, ISPs may block them more, not less,
* filtering will likely get your Exit marked as a BadExit,
* IPS aren't perfect - they let some unwanted traffic through, and block 
other traffic that is totally ok.

Tim

> 
> What should a tor exit op do? Ban the user? exits get the traffic from 
middle nodes and we cant tell (by design) who anyone is. We can block ips 
but that is not really helping with bots who tries to find vulnerabilities 
and scan large blocks.
> 
> markus
> 
> Sent from my iPad
> 
> On 4 Oct 2016, at 23:55, <oconor at email.cz> <oconor at email.cz> wrote:
> 
> If I understand that well ... if tor operator is avare, that his tor node 
is used for illegal activity (when their ISP told them about that) and he's 
not going to do anything abou that, he wont be guity by complicity?
> 
> 
> On 04.10.16 22:37, oconor at email.cz wrote:
> 
> > Tor and IPS has both it's own nature and you shouldn't be punished, if
> > your intension was just to filter the bad traffic.
> 
> And who is to decide what constitutes "bad traffic"? I am not a lawyer,
> but in Germany one of the cornerstones of not being held responsible
> for traffic passing through a Tor node is ยง 8 of the Telemediengesetz:
> http://www.gesetze-im-internet.de/tmg/__8.html -- sometimes referred to
> colloquially as the "provider privilege".
> 
> One only is free of responsibility if one neither initiates a transfer,
> nor selects the transfer's destination, nor selects or modifies the
> transmitted data. That's what "passing through" means.
> 
> According to two lawyers I spoke to, exit policies might already be
> borderline breaking these rules for exit nodes, but the technical basis
> at least guarantees that traffic will never reach an exit node that does
> not let it pass. Now think of a firewall that interferes with transfers
> once the data has already reached the exit node. Wouldn't you agree that
> this means selecting/modifiying the transmitted data?
> 
> That's just one national law that I am aware of, I imagine other
> countries have similar regulations in place. Any internet service
> provider interfering with net neutrality risks lawsuits, because it is
> not an ISP's prerogative to decide what traffic is "good" or "bad".
> 
> -Ralph
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> =
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org____________________________________________
___
tor-relays mailing list
tor-relays at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161005/8433a521/attachment.html>


More information about the tor-relays mailing list